On Sat, 5 Aug 2000, OKDesign oHG Security Webmaster wrote:
Someone might install some scripts to USER account and for example copy all input/output to a file, including su passwords.
Good idea. But how should he manage to get this script started ? And even if the script IS started and running, I should see it when doing a ps, shouldn't I ? And I always do ps axf before doing any su-like thing.
Any other holes ?
You can not rely on any operations after someone compromises your account. A script could be run in your .login or any other .rc file. The attaker might even compile a new binary for some of your commands (for example su or ps ) to snoop your passwords and place it to your path before the real one. Of course he can only put it in some directory that user has privileges to write, but still it is possible to make your users environment hostile. Checking prosesses would then only show 'normal' things after all he might even have changed your bash (or another shell you use to some hacked binary) and the .login script might run that malicious shell for you before you get to type in even the first command. This shell could be carefully crafted to hide its existence in every aspect, as it could process input and output of commands like ps and su anyway it sees fit. -Pete
--- Stephan
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com